diff --git a/controller/changePassword.go b/controller/changePassword.go
index 7b303126..915c84cd 100644
--- a/controller/changePassword.go
+++ b/controller/changePassword.go
@@ -18,7 +18,7 @@ func newChangePasswordHandler(cfg *config.Config) *changePasswordHandler {
 	}
 }
 
-func (handler *changePasswordHandler) Handle(params account.ChangePasswordParams) middleware.Responder {
+func (handler *changePasswordHandler) Handle(params account.ChangePasswordParams, principal *rest_model_zrok.Principal) middleware.Responder {
 	if params.Body == nil || params.Body.Email == "" || params.Body.OldPassword == "" || params.Body.NewPassword == "" {
 		logrus.Error("missing email, old, or new password")
 		return account.NewChangePasswordUnauthorized()
diff --git a/rest_client_zrok/account/account_client.go b/rest_client_zrok/account/account_client.go
index 85b204e2..245a3be1 100644
--- a/rest_client_zrok/account/account_client.go
+++ b/rest_client_zrok/account/account_client.go
@@ -30,7 +30,7 @@ type ClientOption func(*runtime.ClientOperation)
 
 // ClientService is the interface for Client methods
 type ClientService interface {
-	ChangePassword(params *ChangePasswordParams, opts ...ClientOption) (*ChangePasswordOK, error)
+	ChangePassword(params *ChangePasswordParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ChangePasswordOK, error)
 
 	Invite(params *InviteParams, opts ...ClientOption) (*InviteCreated, error)
 
@@ -50,7 +50,7 @@ type ClientService interface {
 /*
 ChangePassword change password API
 */
-func (a *Client) ChangePassword(params *ChangePasswordParams, opts ...ClientOption) (*ChangePasswordOK, error) {
+func (a *Client) ChangePassword(params *ChangePasswordParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ChangePasswordOK, error) {
 	// TODO: Validate the params before sending
 	if params == nil {
 		params = NewChangePasswordParams()
@@ -64,6 +64,7 @@ func (a *Client) ChangePassword(params *ChangePasswordParams, opts ...ClientOpti
 		Schemes:            []string{"http"},
 		Params:             params,
 		Reader:             &ChangePasswordReader{formats: a.formats},
+		AuthInfo:           authInfo,
 		Context:            params.Context,
 		Client:             params.HTTPClient,
 	}
diff --git a/rest_server_zrok/embedded_spec.go b/rest_server_zrok/embedded_spec.go
index b96f57bd..6ac8f483 100644
--- a/rest_server_zrok/embedded_spec.go
+++ b/rest_server_zrok/embedded_spec.go
@@ -76,6 +76,11 @@ func init() {
     },
     "/changePassword": {
       "post": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
         "tags": [
           "account"
         ],
@@ -1750,6 +1755,11 @@ func init() {
     },
     "/changePassword": {
       "post": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
         "tags": [
           "account"
         ],
diff --git a/rest_server_zrok/operations/account/change_password.go b/rest_server_zrok/operations/account/change_password.go
index 2c5b1f3b..5324b58e 100644
--- a/rest_server_zrok/operations/account/change_password.go
+++ b/rest_server_zrok/operations/account/change_password.go
@@ -9,19 +9,21 @@ import (
 	"net/http"
 
 	"github.com/go-openapi/runtime/middleware"
+
+	"github.com/openziti/zrok/rest_model_zrok"
 )
 
 // ChangePasswordHandlerFunc turns a function with the right signature into a change password handler
-type ChangePasswordHandlerFunc func(ChangePasswordParams) middleware.Responder
+type ChangePasswordHandlerFunc func(ChangePasswordParams, *rest_model_zrok.Principal) middleware.Responder
 
 // Handle executing the request and returning a response
-func (fn ChangePasswordHandlerFunc) Handle(params ChangePasswordParams) middleware.Responder {
-	return fn(params)
+func (fn ChangePasswordHandlerFunc) Handle(params ChangePasswordParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
 }
 
 // ChangePasswordHandler interface for that can handle valid change password params
 type ChangePasswordHandler interface {
-	Handle(ChangePasswordParams) middleware.Responder
+	Handle(ChangePasswordParams, *rest_model_zrok.Principal) middleware.Responder
 }
 
 // NewChangePassword creates a new http.Handler for the change password operation
@@ -45,12 +47,25 @@ func (o *ChangePassword) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 		*r = *rCtx
 	}
 	var Params = NewChangePasswordParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
 	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
 		o.Context.Respond(rw, r, route.Produces, route, err)
 		return
 	}
 
-	res := o.Handler.Handle(Params) // actually handle the request
+	res := o.Handler.Handle(Params, principal) // actually handle the request
 	o.Context.Respond(rw, r, route.Produces, route, res)
 
 }
diff --git a/rest_server_zrok/operations/zrok_api.go b/rest_server_zrok/operations/zrok_api.go
index 4e7a39b8..65d6ab56 100644
--- a/rest_server_zrok/operations/zrok_api.go
+++ b/rest_server_zrok/operations/zrok_api.go
@@ -52,7 +52,7 @@ func NewZrokAPI(spec *loads.Document) *ZrokAPI {
 		ShareAccessHandler: share.AccessHandlerFunc(func(params share.AccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation share.Access has not yet been implemented")
 		}),
-		AccountChangePasswordHandler: account.ChangePasswordHandlerFunc(func(params account.ChangePasswordParams) middleware.Responder {
+		AccountChangePasswordHandler: account.ChangePasswordHandlerFunc(func(params account.ChangePasswordParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation account.ChangePassword has not yet been implemented")
 		}),
 		MetadataConfigurationHandler: metadata.ConfigurationHandlerFunc(func(params metadata.ConfigurationParams) middleware.Responder {
diff --git a/sdk/python/sdk/zrok/zrok_api/api/account_api.py b/sdk/python/sdk/zrok/zrok_api/api/account_api.py
index 8af0c1ee..fe1d9f42 100644
--- a/sdk/python/sdk/zrok/zrok_api/api/account_api.py
+++ b/sdk/python/sdk/zrok/zrok_api/api/account_api.py
@@ -107,7 +107,7 @@ class AccountApi(object):
             ['application/zrok.v1+json'])  # noqa: E501
 
         # Authentication setting
-        auth_settings = []  # noqa: E501
+        auth_settings = ['key']  # noqa: E501
 
         return self.api_client.call_api(
             '/changePassword', 'POST',
diff --git a/specs/zrok.yml b/specs/zrok.yml
index 5ad57a22..4952a235 100644
--- a/specs/zrok.yml
+++ b/specs/zrok.yml
@@ -19,6 +19,8 @@ paths:
     post:
       tags:
         - account
+      security:
+        - key: []
       operationId: changePassword
       parameters:
         - name: body
diff --git a/ui/src/api/account.js b/ui/src/api/account.js
index 295e2a2e..563841d0 100644
--- a/ui/src/api/account.js
+++ b/ui/src/api/account.js
@@ -110,7 +110,12 @@ export function verify(options) {
 const changePasswordOperation = {
   path: '/changePassword',
   contentTypes: ['application/zrok.v1+json'],
-  method: 'post'
+  method: 'post',
+  security: [
+    {
+      id: 'key'
+    }
+  ]
 }
 
 const inviteOperation = {